Scan for Check The Website
PING xxxxxx (xxxxxx) 56(84) bytes of data.
64 bytes from xxxxxx: icmp_seq=1 ttl=64 time=38.8 ms
64 bytes from xxxxxx: icmp_seq=2 ttl=64 time=39.9 ms
64 bytes from xxxxxx: icmp_seq=3 ttl=64 time=42.1 ms
64 bytes from xxxxxx: icmp_seq=4 ttl=64 time=41.9 ms
^C
--- xxxxxx ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 38.899/40.739/42.113/1.361 ms
Information Gathering
With Nmap, we get:
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql
Vulnerability Assessment
When see the web, looks like the web have the old version. Now we try searching with exploit db, and test it.
Pentesting
Ops, looks like the web is vulner. With the add user vulner, we can add the user. Now, we go to the login form and fill with the new user. Taraa, now get in to the dashboard web.
First, we find the upload application. Looks like the web doesn't have upload file application (or maybe the file upload php ain't appear). So we tried search another vulner. I think, it is programmer's fault, beacuse finally we get the manage file which the files have accessable to write.
We can edit all files, but the choosen one is wp-mail.php. So we edit with the backdoor file (and dont forget to copy all codes wp-mail.php to normally wp-mail.php again). After edit it, then update file. For the result, we call the link: xxxxxx/wp-mail.php
It's succesfully, now we create another php backdoor and normally again wp-mail.php.
We try to bind port, so we can call back again with nc from other places. Next, we upload the local exploit and compile it. Then finally we get the root.
0 comments:
Post a Comment